[CentOS] sshd key exchange security

Fri Sep 11 15:44:26 UTC 2015
Chris Adams <linux at cmadams.net>

Once upon a time, Alice Wonder <alice at domblogger.net> said:
> They recommend setting the following:
> KexAlgorithms curve25519-sha256 at libssh.org
> I don't even see that directive in my sshd config to set it, I
> suppose it may be one that is manually added when needed but I want
> to verify it actually means something in CentOS 7 ssh.
> Also I'm a little worried that maybe curve25519 is one of the curves
> that Red Hat (and thus CentOS 7) doesn't support due to patent
> concerns.

That is supported in the CentOS 7 version of OpenSSH.  Look at the man
page for sshd_config and you'll see the KexAlgorithms option listed and
its valid values.  You can always see what your exact copy and config of
OpenSSH are using by running "sshd -T".

However, if you set it as above, you would _only_ be able to connect
with that algorithm, and not all SSH clients support that (even for
example OpenSSH on CentOS 6).
Chris Adams <linux at cmadams.net>